Device Admin (TACACS+)
Cloud TACACS+ is centralized device administration (AAA) for your switches, routers, and firewalls — who can log in, what shell privilege they get, and exactly which commands they may run, with a full per‑command audit trail (RBAC).
Enforcement runs through the outbound‑only DashX agent on your LAN — no inbound ports, no VPN. Devices and identities are shared with RADIUS, so the NAS entries and directory you already set up carry over.
How the pieces fit
| Sub‑tab | What you do there |
|---|---|
| Settings | Turn TACACS+ on, choose RBAC/audit behavior, default privilege, MFA |
| Command Sets | Define reusable permit/deny command rules (e.g. "NOC read‑only") |
| User Policies | Map users/groups → a command set + shell privilege on which devices |
| Command Audit | Review every command that was run, permitted or denied |
| Device Setup | Copy the vendor config to point your gear at DashX |
Setup order
- Settings — enable TACACS+ and set defaults.
- Command Sets — build the permit/deny rule groups you'll assign.
- User Policies — bind groups to command sets, privilege, and device groups.
- Device Setup — configure each network device.
- Command Audit — verify commands are being logged as expected.